Hi,

it seems that you are affected by https://bugzilla.redhat.com/show_bug.cgi?id=1880149
Could you please try the workaround mentioned there?

Thanks,
Martin


On Thu, Oct 1, 2020 at 11:17 AM Jiří Sléžka <jiri.slezka@slu.cz> wrote:
Hi,

I just upgraded my HE to 4.4.2 but now I cannot login using my ldap aaa
profile anymore.

We are using Novell/NetIQ E-directory (load ballanced by haproxy,
probably not important...)

In 4.4.1 I was hit by removed TLSv1 (which is the newest protocol
supported by our edir) from default crypto policies but I was able
revert it by

update-crypto-policies --set LEGACY

after upgrade to 4.4.2 the error is

server_error: An error occurred while attempting to connect to server
ldap1.slu.cz:389: IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))

but our ldap server is reachable from ovirt, I tested it via (also ldaps
and startls variants are working)

ldapsearch -H ldap://ldap1.slu.cz -x -D cn=*****,ou=******,o=su -w
'************' -b 'o=su'

As a workaround I tried to set plain ldap protocol in profile

cat /etc/ovirt-engine/aaa/CRO.properties


include = <rfc2307-edir.properties>

vars.server = ldap1.slu.cz
vars.port = 389
vars.user = cn=*****,ou=******,o=su
vars.password = **************

pool.default.serverset.single.server = ${global:vars.server}
pool.default.serverset.single.port = ${global:vars.port}
pool.default.auth.simple.bindDN = ${global:vars.user}
pool.default.auth.simple.password = ${global:vars.password}

pool.default.ssl.startTLS = false
pool.default.ssl.enable = false
#pool.default.ssl.protocol = TLSv1
#pool.default.ssl.startTLSProtocol = TLSv1
#pool.default.ssl.insecure = true

sequence-init.init.100-my-edir-init-vars = my-edir-init-vars
sequence.my-edir-init-vars.010.description = set baseDN
sequence.my-edir-init-vars.010.type = var-set
sequence.my-edir-init-vars.010.var-set.variable = simple_baseDN
sequence.my-edir-init-vars.010.var-set.value = o=su

#search.default.search-request.derefPolicy = ALWAYS


but the error is the same...

ovirt-engine-extensions-tool aaa login-user --profile=CRO
--user-name=my_user

....
WARNING: [ovirt-engine-extension-aaa-ldap.authn::SU-LDAP-authentication]
TLS/SSL insecure mode
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
...
INFO: API: -->Authn.InvokeCommands.AUTHENTICATE_CREDENTIALS
profile='CRO' user='my_user'
Password:
...
WARNING: [ovirt-engine-extension-aaa-ldap.authn::auth.CRO.slu.cz] Cannot
initialize LDAP framework, deferring initialization. Error: An error
occurred while attempting to connect to server ldap1.slu.cz:389:
IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
Oct 01, 2020 10:57:37 AM
org.ovirt.engine.exttool.core.ExtensionsToolExecutor main
SEVERE: An error occurred while attempting to connect to server
ldap1.slu.cz:389:  IOException(LDAPException(resultCode=91 (connect
error), errorMessage='An error occurred while attempting to establish a
connection to server ldap1.slu.cz/193.84.206.212:389:
SocketException(Network is unreachable (connect failed)),
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))

debug with tcpdump reveals only that connection is made and there are
only "bindRequest" and "bindResponse success" messages visible (with
correct tcp handshake and close) and nothing more

any help would be appreciated

Cheers,

Jiri

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/M4MFGXGJ33R5DFX66HHGENOROHGOTF2D/


--
Martin Perina
Manager, Software Engineering
Red Hat Czech s.r.o.